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Applicant's response of 3/29/06 has been entered. 

1 . 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title.. 

2. Claims 16-18,24,31, are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. 

For claims 16-18,24, it is claimed that a QFD score is calculated and that a PRN 
is calculated using a specific formula. The examiner takes notice of the fact that it is a 
person that decides what values the variables of "severity rating" and "process strength 
rating" are supposed to have for the QFD. The QFD is calculated from the multiplication 
of these two values together, see page 16 of the instant specification. Because all of 
the variables used to calculate the QFD score are disclosed as being determined by 
people, the result of the invention is not considered to be concrete (i.e. it is not capable 
of being repeated to arrive at a particular result). Because of the fact that different 
people may ascribe different values to the variables used in the equation, the result is 
not guaranteed. The claim is not statutory because the result is not concrete (i.e. it is 
not capable of being repeated due to the human factor). The input is judgmental and 
will vary from person to person so the result will vary as well. The same holds true for 
claim 24 that recites the variables used to calculate a PRN, the values are determined 
by people and are judgmental in nature; therefore, the claim does not have a concrete 
result. Additionally, because the results are not concrete, the examiner does not see 
how the result is useful in the context of 35 USC 101 . Because the QFD score is only 
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as accurate as the inputted data is accurate, the result is not considered to be useful. If 
the result can vary depending on the person deciding what values the variables of the 
equation are supposed to have, then one cannot have any confidence in the obtained 
result, because it is only as good as the data inputted into the equation. There is no 
guarantee that the result obtained is even accurate, because the entire equation is 
based on a person's perception and judgments as to what the severity rating is and 
what the strength process rating is. 

For claim 31 , the examiner notes that the apparatus claim contains a recitation 
directed to using recited structure of the system. This is improper because a claim 
cannot be both an apparatus claim and a method claim. This is a mixing of two distinct 
statutory classes of invention. The limitation of "the questionnaire is transmitted from 
said. server to said computer..." is a positive recitation of doing a step in a method, in an 
apparatus claim. This is improper and renders the claim as non-statutory. 

3. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

4. Claims 31-89, are rejected under 35 U.S.C. 112, first paragraph, as failing to 
comply with the enablement requirement. The claim(s) contains subject matter which 
was not described in the specification in such a way as to enable one skilled in the art to 
which it pertains, or with which it is most nearly connected, to make and/or use the 
invention. 
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With respect to claims 31 ,63-89, and the recitation that the server prioritizes the 
compliance risks for the business, identifies potential failure modes with causes and 
effects, and recommends risk monitoring and control mechanisms, one of skill in the art 
would not be able to make the server do what is claimed. This is because the applicant 
has disclosed that it is people that do these steps, not the server. One of skill in the art 
would not be able to figure out how to get the server to prioritize the risks because this 
depends on what the business sees as the most risky based on any known 
consequences that may happen if the risk materializes. How would one of skill in the art 
go about making the server prioritize the risks, especially for a plurality of different 
business settings that have different compliance issues that need to be dealt with? How 
is this done? How can the server know what to do? With respect to identifying failure 
modes and the causes and effects, how is this done by the server? How does the 
server know what possible failures could occur for any kind of business process? The 
same is true for the recommendation of risk monitoring and control mechanisms, how 
does the server do this? One of skill in the art would be left guessing how to program 
the server to do what the specification disclosed is being done by people. The server is 
clearly used in the storing of data and in collecting/receiving the data, but the 
specification is full of references to the fact that it is people doing the majority of the 
actions, not the server. One of skill in the art would not be able to make the invention 
as claimed and undue experimentation would be involved to make the server to do what 
is claimed. The claims are not enabled because one of skill in the art would not be able 
to make a server that does everything that is claimed. 
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For claims 63-89 the following paragraphs are relevant to what is claimed. 

For claims 32,33,35,36, the claim is not enabled. How can the server assemble 
the cross-functional team and conduct an interview with a person, etc.. As stated with 
respect to claim 31 , people are disclosed as doing these steps, not the server. People, 
not the server, also do the summary of the results. One of skill in the art would not be 
able to make the server do what is claimed and undue experimentation would be 
involved. 

For claim 34, one of skill in the art would not be able to go about and make a 
server that can create a questionnaire as claimed. How can the server know what the 
business is and what questions should be asked? The server cannot do this step, 
people do. Applicant has not disclosed how one of skill in the art can make the server 
do what is claimed. 

For claims 37,38, how can the server compile results on its own? One of skill in 
the art would not know how to go about and make the server do what is claimed. 

For claims 39-42, how would one of skill in the art go about making the server 
prioritize the risks deemed to be important to the business, especially when that is 
disclosed as being done by people. The server is not capable of knowing what the 
business management members know and cannot map a risk model, compile 
compliance requirements and prioritize them, assign a severity rating (disclosed as 
being done by people), etc.. One of skill in the art would not be able to make the server 
do what is claimed, especially in view of the fact that the specification discloses that 
people do these steps. The same is true for claim 40, the guidance from the 
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specification does not include how to make the server do what is claimed because 
people do it. For claim 41 , how does the server compile a list of requirements that 
include company policy as well as the other recited requirements? The server does not 
compile the various requirements it is an employee that compiles the requirements. 

Claims 43-62 are also found to be non-enabled for the same reasoning as set 
forth above. The specification teaches that people compile the list of compliance 
requirements, people prioritize the risks, people assign severity ratings and process 
strength ratings, people map the risk model and identify possible failure modes, assign 
occurrence and detection factors, define recommended actions, etc.. 

For all of claims 31-89, Applicant has not given enough disclosure to enable one 
of skill in the art to make a computer system that has a server that does everything that 
is claimed. One of skill in the art reading the specification would be very confused 
because of the fact that it is disclosed that people do most of the recites steps, not the 
server. One of skill in the art would have to undergo undue experimentation to design 
an intelligent system that can basically tell management what to do and more or less 
run the company with respect to compliance issues. The way the claims are written it is 
the server doing everything, but the specification teaches that most of the steps are 
done by people. The claims are not enabled for these reasons. 
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5. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

6. Claims 2,5,6,8,11,21,23,26,29,31-62,70, are rejected under 35 U.S.C. 112, 
second paragraph, as being indefinite for failing to particularly point out and distinctly 
claim the subject matter which applicant regards as the invention. 

For daims 2,8,32,34,50 the portion of claim 2 that recites "identifying and 
interviewing process owners for the questionnaire answers" seems to contradict the 
amended language for claim 1. This problem then flows to claim 8. Claim 1 recites that 
the questionnaire is displayed on a client system of a compliance person and they are 
the ones that submit answers. Claim 2 is reciting process owners as being interviewed. 
Which is correct? The language from claim 1 or what is claimed in claim 2? It is not 
clear as to who is providing answers for the questionnaire, is it the compliance person 
or the process owners? This is not clear. 

For claim 5, it is claimed that the cross-functional team "that was used to conduct 
the compliance program assessment" is reassembled. Where was it previously claimed 
that a cross functional team was assembled to do any kind of compliance assessment? 
This is not previously recited as being in the claim scope, in fact that previous language 
about conducing a program assessment was canceled by amendment and it appears 
this claim was simply not amended to be in agreement with earlier claims. This renders 
the claim indefinite because it is not known if the claim requires a functional team to 
conduct a compliance program assessment or not and it is not clear if they are being 
assembled once or more than once? With respect to the limitation of "assigning 
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severity, occurrence, and detection Factors", what does this mean? Assigned the 
factors to what? This is indefinite because it is not clear what it means. The claimed 
recitation of "calculating Risk Prioritization Numbers" is also not clear. Is this another 
calculation step of another set of RPNs in addition to the RPN calculation step that is 
recited in claim 1? How many different risk prioritization numbers are being calculated? 
Both claims recite the calculation of numbers with the same name. With respect to the 
"defining scorecard content", what does this mean? What scorecard? Due to the 
indefiniteness of the claim as a whole, it will be examined as the claim is best 
understood by the examiner. 

For claim 6, the language "implementing risk monitoring and control mechanisms 
are in place" makes no sense and is considered indefinite for this reason. What does 
this portion mean? 

For claim 1 1 ,39, it is claimed that a list of compliance requirements is compiled. 
Claim 1 recites that the requirements are stored in the database. Are these the same 
requirements or two different sets of requirements? This is not clear. Also, if the 
requirements are already recited as being saved in a database, which is a list, what 
does this step require that is not already within the scope of claim 1? It has also been 
claimed that compliance requirements were prioritized, so is this a recitation to the 
same step that has already been recited? With respect to the entering of a severity 
rating, this is also already clamed in claim 1 because it is claimed that the risks are 
prioritized based on a severity rating. The severity rating inherently must have been 
entered in claim 1 to allow the prioritization step to occur, otherwise the method cannot 
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be performed correctly if you don't have the required data to perform a step. Also, the 
step of prioritizing compliance risk areas is not clear because claim 1 already recites 
that the compliance risks are being prioritized. Is this the same step as recited in claim 
1 , if not then what is the difference. What is the claimed quality function deployment? 
The specification discloses a QFD matrix, but nothing about something called a quality 
function deployment? Are they the same thing? Without the word "matrix", the term 
quality function deployment does not even seem to be a noun. What is it? Due to the 
indefiniteness of the claim as a whole, it will be examined as the claim is best 
understood by the examiner. 

For claim 21,51,52, it is not clear if there are two process maps being claimed or 
just one. Is the process map that has the matrix the same process map as is recited in 
line 3? This is not clear. 

For claim 23, there is no antecedent basis for "the failure mode and effect 
analysis matrix". No matrix of this kind has previously been claimed and it is not clear 
as to what this is referring to. The scope of this claim is not clear. 

For claim 26,57, it is not clear as to what the limitation of "automatically 
reassigning ratings" is referring to. What ratings? It seems that the only rating claimed 
in the scope of this claims is found in claim 1 (severity rating). What other ratings have 
been claimed? It is not clear as to what this claim is requiring. 

For claim 29,59, what is a "policy dashboard"? One wishing to avoid 
infringement would not know what this is. This renders the claim as indefinite. 
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For claim 31 , it is not clear what statutory class of invention is being claimed. Is 
this an apparatus claim or a method claim? The limitation of "the questionnaire is 
transmitted from said server to said computer..." is a positive recitation of doing a step 
of a method, in what otherwise appears to be an apparatus claim. Additionally, one 
wishing to avoid infringement would not know if just having the claimed system would 
be infringement, or if having the claimed system and using it in the claimed manner 
would be infringement. This confusion arises from the fact that applicant has a 
limitation directed to a method of using the recited structural elements of the system. 

For claim 70, there is no antecedent basis for most of the claimed language. 
This is because the language referred to in claim 70 was canceled by the most recent 
amendment and claim 70 was not amended accordingly. Correction is required. The 
claim scope if indefinite because it is not clear as to what is being claimed. 

7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

8. This application currently names joint inventors. In considering patentability of 
the claims under 35 U.S.C. 103(a), the examiner presumes that the subject matter of 
the various claims was commonly owned at the time any inventions covered therein 
were made absent any evidence to the contrary. Applicant is advised of the obligation 
under 37 CFR 1 .56 to point out the inventor and invention dates of each claim that was 
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not commonly owned at the time a later invention was made in order for the examiner to 
consider the applicability of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (f) or (g) 
prior art under 35 U.S.C. 103(a). 

9. Claims 1-16,18-23,25-45,47-53,55-89, are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Fetherston (20020120642). 

For claims 1,3,5,6,11-16,18,19,21,23,29,31,39-45,47,48,51,52,59,63-65,68- 
74,76-89, Fetherston discloses a system and method of determining a company's 
compliance with legislative conditions and/or internal managerial conditions. Fetherston 
discloses a compliance management system that determines and identifies compliance 
or lack of compliance with certain criteria (relating to processes or products of 
business). The server is 2 and the database is 4 and/or 16. The client system is 
disclosed in paragraph 28 where it is disclosed that the system can be a "stand alone" 
computer or may be connected to other components (computers) of a network. It is 
also stated that the system can be implemented on separate networked computers 
accessible from all or selected levels of an organization. Information concerning 
compliance is stored in the database as claimed. This includes a questionnaire (see 
figure 4, paragraphs 34 and 38) and compliance requirements (see paragraph 12). Also 
see figure 4 where it is disclosed that one of the data entries is the "Department". 
Identifying the department also identifies the persons responsible for compliance (i.e. 
the employees in that department). In paragraph 38 it is disclosed that a user is forced 
to follow a process and pattern of data entry (by using a computer) to collect data 
needed to determine the level of compliance with the saved compliance requirements. 
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This involves the displaying of the questionnaire of figure 4 on a client system (a 
computer) that is inherently based on saved compliance information relating the 
whatever requirements have to be complied with. The server 2 then receives the 
entered data, and saving the data "processes" the data. The system also prioritizes the 
compliance risk for a business by identifying the compliance risks and prioritizing them 
from high to low based on a severity rating. Paragraph 42 discloses the identification of 
hazards (risks) that exceed a certain rating. This satisfies the claimed identification of 
the compliance risks. Assigning a numerical priority to each risk by using a "risk 
assessment rating" prioritizes the identified risks. The risk assessment rating satisfies 
the claimed "severity rating". The calculating of a risk prioritization number for each risk 
is satisfied by the disclosure that "the user may specify the threshold value, enabling an 
organization to concentrate first on high priority hazards by specifying a high threshold, 
then lowering the threshold to concentrate on lower priority hazards". The user 
"calculates" or figures out how important each risk is at the present time (based on 
factors which inherently include current compliance with certain criteria, which is saved 
data stored in the database) to arrive at a prioritization number (threshold value) for 
each risk. Once the various risks are analyzed and management is aware of potential 
problems, implementation of controls such as training can be done. The database also 
stores information on training to be given (a control). 

Not specifically disclosed is the step of identifying failure modes with the causes 
and effects of the compliance failure modes along with the storing of this data in the 
database (also relates to the claimed FEMA for claim 11). When one receives an 
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indication that certain legislative requirements (or internal company criteria) are not 
being met, one of ordinary skill in the art would obviously want to know why that is 
happening, so that the problem can be fixed. Upon receiving information that indicates 
failure to comply with certain compliance requirements, one of ordinary skill in the art at 
the time the invention was made would have been motivated to identify failure modes 
for each risk, with the associated causes and effects of those failure modes so that the 
problem can be corrected (by taking actions). This is how one of ordinary skill in the art 
would go about correcting the non-compliance issues identified. You must first identify 
the problem and figure out why it is happening (causes/effects) before you can arrive at 
a solution (an action). One of ordinary skill in the art would have been motivated to do 
what is claimed. With respect to the storing of the data in the database, the Background 
of the invention section states that some legislation requires employers "to provide an 
audit trail of their actions that is sufficiently transparent to show that they have an 
effective management program which includes hazard identification, appropriate training 
and supervision of staff, recording details", etc.. One of ordinary skill in the art at the 
time the invention was made would have been motivated to save all of the compliance 
data in the database to ensure that there is a transparent audit trail that would be 
evidence of management doing what they are supposed to be doing as far as 
compliance monitoring goes. 

For claims 2,32,34,50, with respect to the limitation of defining what constitutes a 
yes answer, the examiner notes that paragraph 37 discloses that one of the formats for 
the questionnaire is a "true/false" type of format. That is the same as having yes or no 
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answers. This inherently involves a previous determination as to what defines a yes 
(true) or no (false) answer so that the compliance assessment can be performed. 
People make up the forms and the questions, not the computer system. In Fetherston 
questionnaire answers are obtained, and results are complied and presented to 
management as claimed. Not disclosed is a "binary questionnaire", and the assembling 
of a cross functional team. With respect to the "binary questionnaire", the use of binary 
code is very old and well known in the art. Binary language is the basic language that 
computers use for data. It would have been obvious to one of ordinary skill in the art at 
the time the invention was made to use a "binary" questionnaire because the use of 
binary code is very old and well known in the art and is something that one of ordinary 
skill in the art would readily be aware of. With respect to the assembling of a cross 
functional team, the examiner notes that applicant does not actually recite that the team 
does anything. One of ordinary skill in the art at the time the invention was made would 
have found it obvious to assemble a cross functional team (a team of employees) that 
would serve to help set up. the entire compliance monitoring system and assist in 
determining what questions should be asked when a "true/false" format for the 
questionnaire is used. 

For claim 4, not specifically disclosed is the step of identifying failure modes with 
the causes and effects of the compliance failure modes along with the storing of this 
data in the database. When one receives an indication that certain legislative 
requirements (or internal company criteria) are not being met, one of ordinary skill in the 
art would obviously want to know why that is happening, so that the problem can be 
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fixed. Upon receiving information that indicates failure to comply with certain 
compliance requirements, one of ordinary skill in the art at the time the invention was 
made would have been motivated to identify failure modes for each risk, with the 
associated causes and effects of those failure modes so that the problem can be 
corrected. This is how one of ordinary skill in the art would go about correcting the non- 
compliance issues identified. You must first identify the problem and figure out why it is 
happening (causes/effects) before you can arrive at a solution. One of ordinary skill in 
the art would have been motivated to do what is claimed. Also not disclosed is the 
prioritizing actions that need to be taken and the developing of a scorecard to be used 
as a monitoring and reporting tool. With respect to the prioritizing of actions that need 
to be taken, when one determines the reason why non-compliance is occurring and 
develops a proposed solution (actions that need to be taken), one of ordinary skill in the 
art at the time the invention was made would have been motivated to prioritize those 
actions that need to be taken so more effort can be spent on those actions that will 
provide more of a positive result, so that effort is not spent on actions that have a small 
effect on the problem. With respect to the development of a policy scorecard, one of 
ordinary skill in the art at the time the invention was made would have found it obvious 
to have some manner by which one could grade the efforts of management in 
compliance monitoring and in correcting any issues of non-compliance. This is 
interpreted to be the mere assessment or appraisal of the company in its efforts to 
ensure company compliance and in fixing the problems. Appraisals or reports on the 
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performance of a company or a part of a company are nothing new (i.e. GAO reports of 
the Federal Government). 

With respect to claim 7, in addition to that disclosed above, not disclosed is 
ensuring that the actions are completed in a timely manner. One of ordinary skill in the 
art at the time the invention was made would have been motivated to ensure that any 
corrective actions that need to be taken are done in a timely manner, so that the 
identified non-compliance risks will not continue. Timely completion of taking action to 
correct the problems is something that one of ordinary skill in the art would clearly 
appreciate. 

For claims 5,33,35,36,66,67, the questionnaire is a "question owners matrix". It 
is a matrix of questions to be answered. The use of a knowledge base is the use of the 
computer system and the stored data. That is a knowledge base. 

For claims 9,37, not disclosed is the use of a spreadsheet to compile the results. 
It is old and well known in the art that spreadsheets are used to process data and 
display data for anything one desires. One of ordinary skill in the art would have this 
fact in their knowledge. It would have been obvious to one of ordinary skill in the art at 
the time the invention was made to use a spreadsheet to display results data, because 
spreadsheets are well known as being a commonly used format to display data and is 
something that one of ordinary skill in the art would understand and appreciate. 

For claims 10,30,38, not disclosed specifically is the use of a program 
assessment summary and a policy assessment summary. Taking into consideration 
that the reason you are tracking compliance data is to ensure that you are in 
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compliance with certain regulations or criteria and given that summary data is complied 
in Fetherston, it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to present the upper members of management with a summary 
of how the "compliance program" is going by having a program assessment (is the 
program working and achieving real world results that justify the program's existence) 
and a policy summary, that summarizes what policies (i.e. training programs) are 
working or not working. One of ordinary skill in the art would have been motivated to 
summarize the results as claimed. 

For claims 1 1 ,39, not disclosed is the mapping of a high level business risk 
model and a quality function deployment. With respect to the risk model, one of 
ordinary skill in the art would have found the use of a risk model (very broad language) 
as obvious, because this is the way that one would go about analyzing the risk to a 
company. You would construct a risk model, which can simply be a report of the 
possible risks and how they may affect the company. With respect to the quality 
function deployment, as this is best understood by the examiner, this is the use of a 
matrix to summarize the compliance requirements (from page 12 of the instant 
specification). The use of a matrix is old and well known in the art. One of ordinary skill 
in the art would have found the use of a matrix obvious because one of ordinary skill in 
the art would recognize that matrixes can be used to summarize any kind of data one 
desires. 

For claims 20,49, not disclosed is the identifying of the top 3-5 compliance 
requirements that have the highest risk. One of ordinary skill in the art would clearly be 
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the most concerned with those compliance areas that have the greatest risk. This is 
just obvious common sense that one of ordinary skill in the art would recognize. With 
respect to determining the top 3-5 compliance requirements, one of ordinary skill in the 
art would find it obvious to not just focus on one compliance risk area, but to focus on a 
plurality of the top areas of concern. Depending on the number of compliance areas in 
need of attendance, one of ordinary skill in the art would have found it obvious to 
identify the top 3-5 compliance requirement that have the greatest risk to the business, 
so that those risks can be minimized. 

For claims 22,53, not specifically disclosed is determining failure modes for each 
step in a process. In the rejection for claim 1, the issue of determining failure modes 
and causes and effects was addressed. With respect to determining failure modes for 
each step in a process, one of ordinary skill in the art would have been motivated to do 
a complete failure mode analysis, which would involve looking at all steps of a process 
where failures could occur. One of ordinary skill in the art would be motivated to look at 
the entire process, not just one step, so that the analysis would be complete and as 
accurate as possible. With respect to brainstorming potential effects, this is part of the 
determination of the cause and effects that has been previously addressed. 
Brainstorming is just coming up with what the effects could be. 

For claims 25,55,56, not disclosed is the step of entering the recommended 
actions, an owner, and an expected date of completion into the matrix. The limitation of 
determining actions to be taken has already been addressed. With respect to the 
entering of these actions in addition to an owner and an expected completion date, one 
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of ordinary skill in the art would have been motivated to track the recommended actions, 
who is responsible for ensuring they are followed through on, and when it is expected 
that they are going to be completed. This is information that one of ordinary skill in the 
art would have recognized as being important. If you take the time to formulate some 
actions that can be taken to minimize the risk to a company, you would also be 
motivated to track the progress of those actions and document who is responsible for 
ensuring that those actions are undertaken, along with dates of when it will be 
completed, so that the management personnel overseeing the implementation of these 
actions will know what they are doing, who is doing it, and what the timeline is for the 
progress of those actions. One of ordinary skill in the art would have been motivated to 
do what is claimed. 

For claims 26,27,57, not disclosed is the reassigning of ratings and recalculation 
of the RPN or monitoring the progress. When one is using the method of Fetherston to 
address compliance risks, one of ordinary skill in the art would have been motivated to 
revisit the issues at a later point in time to see whether or not the risk of non-compliance 
has gone down (monitoring the progress). One of ordinary skill in the art would have 
found it obvious to recalculate the severity rating and take another look at whether or 
not the previously determined risk is still a priority that needs to be addressed. This 
inherently involves recalculating the RPN. 

For claims 28,58, with respect to the use of a policy scorecard, one of ordinary 
skill in the art at the time the invention was made would have found it obvious to have 
some manner by which one could grade the efforts of management in compliance 
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monitoring and in correcting any issues of non-compliance. This limitation is interpreted 
to be the mere assessment or appraisal of the company in its efforts to ensure company 
compliance and in fixing the problems. Appraisals or reports (scorecards) on the 
performance of a company or a part of a company are nothing new (i.e. GAO reports of 
the Federal Government). 

For claims 60-62, the prior art is fully capable of operating as claimed. The 
server can receive information in any of the claimed manners. 

10. Applicant's arguments with respect to claims 1-89 have been considered but are 
moot in view of the new ground(s) of rejection. 

1 1 . Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Dennis Ruhl whose telephone number is 571-272-6808. 
The examiner can normally be reached on Monday through Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, John Weiss can be reached on 571-272-6812. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov: Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




DENNIS RUHL 
PRIMARY EXAMINER 



